Blocking an IPSec Subnet letting a few hosts through.
Freshman Member
Hi,
I have an IPSec tunnel with another company. We have our subnets both set to /24. Now I want to block all of the other side, letting a few through, not the entire subnet.
I have a group with hosts I like to allow, but want to block the ones not in that group. (Mainly the rest that is)
How would I need to proceed?
Jeroen
Accepted Solution
-
Hi @JeroenSoree,
You can create the following two security policy rules.
The priority of Rule 1 must be higher than Rule 2.
Rule 1
From: IPSec-VPN
To: LAN
Source: the group with hosts from the remote VPN site you'd like to allow
Destination: the address of the local servers in ATP
Action: allow
Rule 2
From: IPSec-VPN
To: LAN
Source: any
Destination: any
Action: deny
In the following example, site to site VPN is established between ATP and another ZyWALL.
(192.168.1.0/24)ATP-----VPN------ZyWALL(192.168.10.0/24)
Only the IP addresses 192.168.10.33 and 192.168.10.34 from the remote site are able to access the local server in ATP.
Other IPs from the remote ZyWALL is not able to access the local server in ATP.
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community5
Zyxel Employee
All Replies
-
Hi @JeroenSoree,
You can create the following two security policy rules.
The priority of Rule 1 must be higher than Rule 2.
Rule 1
From: IPSec-VPN
To: LAN
Source: the group with hosts from the remote VPN site you'd like to allow
Destination: the address of the local servers in ATP
Action: allow
Rule 2
From: IPSec-VPN
To: LAN
Source: any
Destination: any
Action: deny
In the following example, site to site VPN is established between ATP and another ZyWALL.
(192.168.1.0/24)ATP-----VPN------ZyWALL(192.168.10.0/24)
Only the IP addresses 192.168.10.33 and 192.168.10.34 from the remote site are able to access the local server in ATP.
Other IPs from the remote ZyWALL is not able to access the local server in ATP.
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community5 -
Thanks a lot, works!
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
